Fortis Adaptive Threat Response is an exciting new automation-based, 100% free add-on feature available to Fortis ActiveDefense XDR customers that satisfy certain technology requirements. Read on for some basic information on what it is, how it works, and some impressive early statistics that showcase its effectiveness.

What is Adaptive Threat Response?

Adaptive Threat Response (ATR) is automated network threat isolation and blocking with supported ActiveDefense™ Edge firewalls. It leverages machine learning and other proprietary techniques to respond to behavioral threats automatically. The overall goal of Adaptive Threat Response (ATR) is to lower the time from detection to remediation for network-related threats through automation and orchestration.

What alarms/events trigger Adaptive Threat Response action?

The Fortis threat intelligence team creates ATR-enabled alarms through the Fortis Threat Exchange based on high fidelity signature detections from various log sources. ATR-enabled alarms are continuously being added and modified to stay current with the latest threat actor tactics and techniques. Common activity subject to ATR automation and orchestration includes but is not limited to: Command and Control, Botnet, Aggressive Port Scanning, Exploit Attempts, and Remote Code Execution.

By the numbers

Initial metrics help show the value of Fortis ATR and its ability to accelerate Time to Protect and reduce engineering labor:

In April 2023, 122 unique public IP addresses were subject to automated blocking through Adaptive Threat Response (ATR)

• All Fortis customers configured for Global Enrollment successfully blocked 122 IP addresses that exhibited malicious activity across our customer base

Out of 122 unique public IP addresses that were blocked, 30 were repeat offenders for ATR blocking and will continue to stay blocked indefinitely until 30 days pass with no malicious activity being seen across the Fortis customer base.

• 92 unique public IP addresses will be removed from block lists in the upcoming month, as long as no additional malicious activity is found from these specific IP addresses.

Year to date, almost 2,000 individual firewall rules were configured and updated by our ATR automation and orchestration

• With one individual firewall rule modification taking an average of 30 minutes, we saved engineering resources almost 1,000 hours compared to if these rule modifications were completed manually across our ATR-enrolled devices. More importantly, the average Time to Protection was reduced from an average of 30 minutes to under one minute per block.

The top 4 type of attacks that triggered ATR automation and blocking were:

• MALWARE-CNC User-Agent known malicious user-agent string – Mirai
• MALWARE-CNC Html.Webshell.Hafnium inbound request attempt
• MALWARE-CNC Win.Backdoor.Chopper web shell connection
• SERVER-OTHER Apache Log4j logging remote code execution attempt 
  

The Adaptive Threat Response differentiator

Based on the stats posted above, Fortis customers that have Global Enrollment with our ActiveDefense™ ATR gained real-world intelligence and future protection for high confidence malicious intent across their networks. Those enrolled in ActiveDefense™ ATR also saw significant time savings from the Time to Detect (TTD) to the Time to Respond/Remediate (TTR). What would have taken 30 minutes of work per firewall modification on average for remediation is now being executed in seconds, reacting and protecting our customers faster than ever.